win32 Posted June 15, 2020 Posted June 15, 2020 To prevent user confusion, I strongly recommend disregarding the tutorials and contacting me directly instead about the extended kernel. The original post was removed as it was continuing to confuse users. There will be further discussion about the evolution of the extended kernel in the coming pages. 24
burd Posted June 15, 2020 Posted June 15, 2020 (edited) 2 hours ago, win32 said: Attention Windows Vista x64 users! Did you feel wounded by the way your OS was surpassed by NT 6.1? And felt salt being poured into those wounds when BlackWingCat implemented some of those NT 6.1+ functions in his extended kernel for NT 5.0? Now I'm here to give Windows Vista the leg up it has always deserved! All you need is CFF Explorer and ExportTableTester. (rules prohibit the distribution of modified MS binaries) First, enter X:\Windows\System32 (where X: is the letter of your system partition) and copy kernel32.dll (for this experiment, I'm using version 6.00.6002.19623) to another folder. Open that copy of kernel32.dll in CFF Explorer and click "Section Headers [x]" on the left sidebar. Keep your attention on the .text section and scroll down to the bottom of the hex representation of the section, where you will find a portion filled with zeros. Then starting at offset 000BCF50, add all of the non-zero code shown in the image below: my values arent 0 beforehand , should i still copy yours? how should i edit them? Edited June 15, 2020 by burd
win32 Posted June 15, 2020 Author Posted June 15, 2020 (edited) 31 minutes ago, burd said: my values arent 0 beforehand , should i still copy yours? how should i edit them? Which version of kernel32.dll do you have? I was quite concerned about this possibility, given that Vista has multiple update paths (through April 2017 EOL, Server 2008 updates until the one that changes the build to 6003, Server 2008 EOL and ongoing ESU). I decided to forgo all updates after Vista's EOL, and the kernel32.dll I have was actually updated in March 2016 (I know there is a later one numbered 6.0.6003.20489), so I was hoping that frequent updates to the file wouldn't take place. In any event, start adding the code on the first line with all zeros. And accordingly adjust the function addresses in ExportTableTester, Edited June 15, 2020 by win32
burd Posted June 15, 2020 Posted June 15, 2020 (edited) 4 minutes ago, win32 said: Which version of kernel32.dll do you have? I was quite concerned about this possibility, given that Vista has multiple update paths (through April 2017 EOL, Server 2008 updates until the one that changes the build to 6003, Server 2008 EOL and ongoing ESU). I decided to forgo all updates after Vista's EOL, and the kernel32.dll I have was actually updated in March 2016 (I know there is a later one numbered 6.0.6003.20489), so I was hoping that frequent updates to the file wouldn't take place. In any event, start adding the code on the first line with all zeros. And accordingly adjust the function addresses in ExportTableTester, mine is 6.0.6003.20825 , by first line you mean 000BCF50 right? ill just copy your code ditto with zeros? most of us here arent really experienced with this coding sorry for too many questions Edited June 15, 2020 by burd
win32 Posted June 15, 2020 Author Posted June 15, 2020 1 minute ago, burd said: mine is 6.0.6003.20825 , by first line you mean 000BCF50 right? ill just copy your code ditto with zeros? most of us here arent really experienced with this coding sorry for too many questions Unfortunately, it appears that starting with 6.0.6003.20731, they ate up most of the zeros in .txt. So the solution to that will be to add a new section, which I was intending on doing for later updates to the initial version. So right click in section headers view, click "Add Section (Empty Space)", make the size 0000B100 (looking forward to many new API functions!) and then name it .xdata. And then add the code in that section, though the offsets reset themselves per-section in section headers view so you will be telling ExportTableTester that your functions will be located at 00128E00, 00128E10, 00128E20... Given that kernel extending is typically seen as an "elite" activity in the world of Microsoft Windows, and this is the very first go of it for NT 6.x, I'm not surprised to see this level of questioning, considering that this could open up the art of kernel extension to a far wider audience than before. Though it will be for the greater good, as Vista has certainly been held back win2k-style by MS. NB: the procedure for modifying the file should be the same through 6.0.6003.20686 as in the OP though. 1
burd Posted June 15, 2020 Posted June 15, 2020 10 minutes ago, win32 said: Unfortunately, it appears that starting with 6.0.6003.20731, they ate up most of the zeros in .txt. So the solution to that will be to add a new section, which I was intending on doing for later updates to the initial version. So right click in section headers view, click "Add Section (Empty Space)", make the size 0000B100 (looking forward to many new API functions!) and then name it .xdata. And then add the code in that section, though the offsets reset themselves per-section in section headers view so you will be telling ExportTableTester that your functions will be located at 00128E00, 00128E10, 00128E20... Given that kernel extending is typically seen as an "elite" activity in the world of Microsoft Windows, and this is the very first go of it for NT 6.x, I'm not surprised to see this level of questioning, considering that this could open up the art of kernel extension to a far wider audience than before. Though it will be for the greater good, as Vista has certainly been held back win2k-style by MS. NB: the procedure for modifying the file should be the same through 6.0.6003.20686 as in the OP though. hmm, this is far more complicated than expected , i hope there will be an easier way in the future although this certainly opens up multiple possibilities and its really impressive what you have achieved here. 1
burd Posted June 15, 2020 Posted June 15, 2020 (edited) @win32 does this look correct to you? https://imgur.com/a/UTYkcTj ofc i still need to fill in the code Edited June 15, 2020 by burd
Ximonite Posted June 15, 2020 Posted June 15, 2020 1 minute ago, burd said: does this look correct to you? You need to set the characteristics of .xdata to 60000020. Also did you type the H in the section or was it just there? Besides those 2 things, it looks correct.
win32 Posted June 15, 2020 Author Posted June 15, 2020 (edited) 5 minutes ago, burd said: @win32 does this look correct to you? https://imgur.com/a/UTYkcTj ofc i still need to fill in the code You are on the right track. and what @Ximonite said. I forgot about section flags/characteristics. The 48 is part of the first function of course. Edited June 15, 2020 by win32 1
burd Posted June 15, 2020 Posted June 15, 2020 2 minutes ago, win32 said: You are on the right track. and what @Ximonite said. I forgot about section flags. The 48 is part of the first function of course. 3 minutes ago, Ximonite said: You need to set the characteristics of .xdata to 60000020. Also did you type the H in the section or was it just there? Besides those 2 things, it looks correct. thank you.
burd Posted June 15, 2020 Posted June 15, 2020 (edited) 2 hours ago, Ximonite said: You need to set the characteristics of .xdata to 60000020. Also did you type the H in the section or was it just there? Besides those 2 things, it looks correct. i typed 48 which made H show up Edited June 15, 2020 by burd
burd Posted June 15, 2020 Posted June 15, 2020 (edited) @win32 all good i hope,also thanks for your guidance once again. https://imgur.com/a/gfURGam EDIT:- i've done it , how can i test if it works? Edited June 15, 2020 by burd
win32 Posted June 15, 2020 Author Posted June 15, 2020 3 hours ago, burd said: @win32 all good i hope,also thanks for your guidance once again. https://imgur.com/a/gfURGam Yes, those are all correct. 1
burd Posted June 15, 2020 Posted June 15, 2020 (edited) 4 minutes ago, win32 said: Yes, those are all correct. i did everything , then realised i forgot to make the 000BCF50 back to normal which was crashing explorer, redid everything its all stable now, but i still dont know if it works or not do you know of any way that can confirm it. Edited June 15, 2020 by burd
win32 Posted June 15, 2020 Author Posted June 15, 2020 (edited) 11 minutes ago, burd said: i did everything , then realised i forgot to make the 000BCF50 back to normal which was crashing explorer, redid everything its all stable now, but i still dont know if it works or not do you know of any way that can confirm it. We are only two functions away from getting GIMP 2.10.18 to possibly work - SetThreadErrorMode and K32GetModuleFileNameExA. So the first test of the extended kernel will be very soon. If anyone can find other x64 programs that were only prevented from running on Vista by the lack of the functions that have been implemented already, that would also be good. Edited June 15, 2020 by win32
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now